Beware the black market for IPv4 addresses

Organisations slow to adopt IPv6 take heed: Surging requests for IPv4 addresses are quickly drying up the available store, raising the spectre of an IPv4 black market that could dramatically increase the cost of obtaining a presence on today's Internet.

Organisations slow to adopt IPv6 take heed: Surging requests for IPv4 addresses are quickly drying up the available store, raising the spectre of an IPv4 black market that could dramatically increase the cost of obtaining a presence on today's Internet.

Previous predictions pegged late 2011 as the anticipated date of IPv4 address exhaustion. But a sudden turnaround in the rate of allocation for IPv4 addresses this year has consumed an alarming number of "/8" IPv4 address blocks - /8 being the unit of allocation to Regional Internet Registries (RIRs).

"There were just eight /8 allocations in all of 2009, but there have been six /8s issued just in the first 100 days of 2010," notes American Registry for Internet Numbers (ARIN) CIO Richard Jimmerson.

As of this writing, only 20 IPv4 /8s remain in the Internet Assigned Numbers Authority (IANA) pool of 256 /8s. At the current rate, the IANA pool may well be exhausted by the end of this year (see graphic below). And though the transition from IPv4 to IPv6 has been long anticipated, many organisations are ill-prepared for the fallout of IPv4 exhaustion. In addition to being required to maintain web presence in both address spaces until the Internet's transition is complete, new services, such as Microsoft's DirectAccess, are increasingly becoming available only on IPv6, as tech vendors and service providers increasingly find IPv4 too expensive to support.

IPv4 black market: A matter of supply and demand

The coming IPv4 shortage has been foreseen for years, but organisations needing an Internet presence - businesses, educational institutions, government agencies, and the like - have largely been in denial about the inevitability of IPv4 exhaustion.

Related

At last October's dual celebration of ARPAnet (the Advanced Research Projects Agency Network that preceded the Internet) and the 125th anniversary of event sponsor IEEE, Internet pioneer Vincent Cerf urged immediate IPv6 adoption because Internet growth is not slowing: "We are going to see billions and billions of devices on the Net. The Internet, for its part, has invited many people to contribute content."

In a more recent interview, ARIN's Jimmerson says, "Yes, there was a dip [of IPv4 assignments] in 2009, but 2010 is accelerating. Lots of new applications - next-gen Wi-Fi, cloud services, and smart grid - are taking off, and regions such as Asia and South America are coming online rapidly."

IPv4, which uses 32-bit addresses, is capable of supporting 4.3 billion total addresses, but severe fragmentation makes utilisation of the full range of IP addresses inefficient. Worse, many consider reclaiming unused IP space a far too complex and expensive undertaking. As such, when the last IPv4 /8 is allocated, new Internet players could find high prices and a black market the only practical means of getting IPv4 addresses.

Well-known Internet engineer and notable Internet "pseudo-economist" R. Kevin Oberman points out that this black market already exists, albeit on a small scale.

"The probability of black market growth depends on how run-out of IPv4 addresses is handled by the regional registries," Oberman says. "A black market is uncontrolled by definition. If you have a commodity that has value and is required for commerce, the price will rise to whatever willing buyers will pay."

Currently, Oberman notes, IPv4 addresses are still relatively easy to get, because significant anti-fraud measures haven't yet been put in place by registries such as ARIN.

"Most of the current black market is a matter of convenience, because ARIN's IPv4 costs, and those of other registries, are low for large organisations. But if you're a small company, the expense can be fairly high," Oberman says. "If the survival of your business depends on getting IPv4 addresses, you'll be willing to pay for them, even if you have to skirt the rules."

Oberman believes that regional registries such as ARIN should head off a potentially deleterious black market by creating a "white market" with established rules for trading IPv4 addresses at market-established costs.

"If people have legitimate rules that permit address transfers, they'll use them instead of a black market," Oberman says.

IPv6, which uses 128-bit addresses, can support an essentially unlimited address space: 2 to the 128th power, or 3.4 with 38 zeros after it. But the opportunity to cleanly switch from IPv4 to IPv6 passed many years ago. The current transition strategy, called "dual stack," requires businesses to remain connected to both IPv4 and IPv6 networks until most of the Internet gets to "the other side" - a process expected to take at least five years. Until then, the cost ramifications of IPv4 exhaustion will be widespread.

IPv4 black market: The rising cost of scarcity

ARIN's Jimmerson agrees that an accelerating black market for IPv4 addresses is possible. Yet ARIN's membership has been proactive about providing at least limited address transfer opportunities to mitigate that problem, Jimmerson says.

"ARIN is a member-driven organisation, but even non-members from the Internet community at large can participate in the policy development process," Jimmerson notes. "That community has proposed a policy change[6], which ARIN recently adopted, to permit an IPv4 registrant to transfer numbers to another party."

Under that new rule, a company can return IPv4 numbers to ARIN and designate the intended recipient. ARIN isn't involved in any financial transaction that may occur between the parties, and only promises the recipient will receive the addresses if the recipient first files, and ARIN approves under its transfer guidelines, the necessary usage justification forms.

"There may still be black market activity, but with this policy, it's more likely that people will transfer numbers out in the open," says Jimmerson. "The important thing is that IPv4 registration records accurately identify the registrant who has authority over each allocation."

Jimmerson believes organisations are less likely to engage in black marketing if their business names are attached to the numbers being trafficked.

"It's very likely that over the next year the community will continue to fine-tune the address allocation policy set, which includes both IPv4 and IPv6," Jimmerson says.

Such a move could mean price increases as depletion nears. Under today's rules, a small organisation would pay a minimum of $1,250 annually for a /24 assignment, which represents 256 addresses, the smallest block that can be portably routed on the Internet. Smaller allocations than this must be obtained from an ISP, at the cost of a few dollars per month per IP address. Larger organisations could pay between $4,500 and $18,000 per year, but in all cases address holders must provide justification to their registry to continue using IPv4 allocations.

IPv4 black market: Staving off inevitability

As IPv4 nears exhaustion, Oberman's vision of a pricey black market could still materialise, even with ARIN's new transfer policy.

"The problem is big enough that you'll never have 100 percent enforcement, which is why we have a small black market today," Oberman says. "People could start speculating, and that will drive prices up on both black and white markets."

A possible stress reliever could come in the form of forced reclamation of unused, or fraudulently used, IP space.

"The community had an opportunity two years ago to choose reclamation over the new transfer policy. We determined that reclamation could gain four to six /8s, which would be a painful process that at best that would forestall exhaustion four to six months," says Jimmerson.

But ARIN and its sister registries have the authority to reclaim space if necessary, because users are only loaned use of IP numbers.

"ARIN has put a lot of energy into anti-fraud procedures," says Jimmerson. "As we run out of this valuable resource, we actively apply these anti-fraud measures that include vetting organisations, scrutinising justification, as well as providing a mechanism for people to report fraud and misuse, to avoid hoarding and speculation."

Jimmerson points out a twist to the IPv4 exhaustion problem: An IANA global resource policy calls for the remaining five /8s to be immediately distributed to the RIRs as soon as that trigger point is reached, which ARIN believes will likely occur in 2011, although current usage suggests it could happen later this year.

"When that happens, we have a reserved /10 block [4.2 million IP addresses] set aside for organisations that run IPv6 but need one or two IPv4 addresses for protocol transition," Jimmerson says.

Except for this reserve pool, however, Jimmerson expects the last addresses will be issued by registries anywhere from one day to six months after this IANA trigger occurs.

IPv4 black market: Escaping the black

Both Jimmerson and Oberman agree that businesses have no time to lose in moving to IPv6. While IPv4 will be needed for the foreseeable future, the sooner the Internet community abandons this legacy protocol, the less impact any potential black market could have on Internet commerce. They predict that many new servers will be IPv6-exclusive, gradually isolating IPv4-only Internet users.

The trail to IPv6 is well blazed. ICANN (Internet Corporation for Assigned Names and Numbers) added IPv6 to its root name servers[8] back in 2004. Federal agencies largely met a mid-2008 deadline[9] to support IPv6, which first became operational on the Internet that year. All major server and desktop operating systems -- Windows, Unix, Linux, and Mac OS X -- have supported IPv6 for several years, as have major Internet client applications such as Internet Explorer, Safari, Chrome, and others. Most network equipment has IPv6 built-in.